I have an Azure app service that is protected by AAD Express Authentication; I intend to use API Management Service to manage it, but when i import the api in the management service and test one of my get function; it says 401 Unauthorized. I have tried adding "validate jwt" policy but I think I am doing something wrong. Can you tell me the correct way of making the connection to the AAD protected app service thru Api management service?
Azure API Management feature allows you to expose apps deployed in Azure App Service to manage, protect, and secure APIs.
To start using Azure API Management, go to the App Service extension, and follow these steps:
Select a new or existing API Management service instance for exposing the app.
Manage the API—apply policies, edit or download an OpenAPI
specification file,change the API configuration, or navigate to the
API Management instance.
Please refer to this document
Related
I have an Azure Logic App and Azure API Management. I need to call the APIs from the Logic APP.
But when I try to add the action "Call an Azure API Management API" I get this error: "GetCallFailed. The API 'apiManagementOperation' could not be found."
Any pieces of advice on this error?
It's a Logic App (Standard).
According to this Documentation, Functionalities in Standard Logic app are either limited, unavailable, or are not supported.
Some built-in triggers and actions are not available, such as Slider Window, Batch, Azure App Service, and Azure API Management.
While connecting to your API Management directly, this feature is available in the Consumption logic app - Azure API Management.
Currently, the only option available in the Standard Logic App is to use an HTTP Connector.
I have .net core 3.1 web api application deployed to Azure App Service. I want to set the authentication for APIs using Azure Active Directory with users logging through their office 365 account.
The architecture is like - I have my office 365 account ready with me. I request for a token to Azure AD. With the JWT, I get from azure AD, I should be able to call all the API endpoints in my web api application deployed in App Service.
Can you please explain what all configuration needs to be done in azure portal and code changes in startup.cs file.
Please refer to Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform.
The Microsoft.AspNetCore.Authentication middleware uses a Startup
class that's executed when the hosting process initializes. In its
ConfigureServices method, the AddMicrosoftIdentityWebApi extension
method provided by Microsoft.Identity.Web is called.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
}
You can protect a controller or controller methods using the
[Authorize] attribute.
namespace webapi.Controllers
{
[Authorize]
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
Deploying to Azure app service doesn't require more different configurations. Just modify the real API endpoint while calling it.
You can see more details from Scenario: Protected web API.
If you want to call the API from a web app, you could refer to Scenario: A web app that calls web APIs.
Remember that you need to register two Azure AD apps, one is for client app (front) and the other is for API app (backend). In the API app, you need to expose API. Then you need to configure the client app. Add the permission (scope) which is exposed by API app to the client app. These are all mentioned in the links above.
UPDATE:
I assume that you have created the two Azure AD apps on Azure portal and have configured the permissions between them. (if you haven't, please refer to Register the service app (TodoListAPI) and Register the client app (TodoListSPA))
Then you could test your API in Postman like this:
In the second screenshot:
Auth URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Client id and client secret are from the Azure AD app which represents the client app (TodoListSPA).
Scope is the app id uri which is exposed by the Azure AD app which represents the service app (TodoListAPI).
I have an azure Logic app and azure API Management(APIM). and I would like to call the APIs in the Azure APIM from Logic app at different intervals.
I can find the Azure API management in the list of steps in the Azure Logic App but after adding there is nothing there.
I wonder how can I connect my Azure APIM resource to this?
According to some test, if we choose "Consumption" as pricing tier when we create the APIM, we can't see it in logic app "Azure API Management" connector. So please choose other pricing tier(such as "Developer") for your APIM.
I have developed a solution using Azure Logic Apps and ApI management in Azure. API in Azure APi management call Azure logic App workflow [http trigger] as backend service.
The solution works fine with Azure logic App on one resource, Test. When I create the same logic App in another resource, Pre-production, I am receiving 404 Not found error.
I have two resource for API management [Test and pre-prod] and corresponding two logic app resource groups, [test and pre-prod]. The connection from both API management API is successful to Logic App in Test resource group.
However, when I try to connect to logic app workflow on Pre-prod, I am encountering 404 Not Found Error. I can select the workflow as back-end service through API management interface.
I have tested Logic App Workflow using postman and it works fine. It is only the API in API management which cannot connect.
I try to investigate using Trace but it does not provide any clue.
Any suggestions and help is welcome.
I found the issue. It was a return status coming back from logic apps, which was resource specific. otherwise, The call from API manager was going fine.
I want to renew Azure AAD Application Secret (Key) with C# and rest api. Which Graph API (developer.microsoft.com) I should be using.
Also, can I call the rest API with Application Authentication? as I need to run it as a background job. To set a new secret, does application need to have any access and how can I set these for application.
You should use Azure AD Graph API for application and service principal management.
While AAD Graph is being deprecated,
these features are still in beta on Microsoft Graph API.
They have had major changes lately in the beta endpoint and I would not recommend using that.
For C# you can use this library: https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/
Yes, you can use Client Credentials flow to authenticate.
Creating secrets is a highly-privileged operation however, and you may need to assign an administrator role on the service principal of your app.
You can do this using PowerShell, e.g. https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/.
Application Administrator might be enough for this, though I have not tested it.
Do note that your app will not be able to update its own secret if it has expired ;)